We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

French Digital Republic Law Expands Rights of Users and Regulators (Law No. 2016-321 of 7 October 2016)

On 7 October 2016, the president of the French Republic promulgated the Law for a Digital Republic. This promulgation closes the legislative process commenced in December 2015, which itself was preceded by a public consultation initiated by the Conseil national du numérique (the French Digital Council) between October 2014 and February 2015, and which permitted the French government to present its digital strategy in June 2015. Structured around three titles (circulation of data and knowledge; protecting individuals in the digital society; universal access to data technology), this law addresses a variety of subjects, which all aim to accompany society in its digital transition. In essence, instead of creating a new legal framework, this law broadens the existing legal structure. This Client Alert summarizes certain changes made by this new law. 1. Change in the regulation applying to personal data (amendments to Law No. 78-17 of 6 January 1978) The Digital Republic Law substantially amends the 1978 French data protection law (loi Informatique et Libertés), in part in order to prepare for the European general data protection regulation that is set to come into force on 25 May 2018 (Regulation (EU) 2016/679 of 27 April 2016). 1.1. Strengthening the rights of data subjects • Right to decide and control the use of personal data (Art. 54 of the Digital Republic Law) Article 1 of the 1978 data protection law is supplemented by the creation of a fundamental right for a data subject to “decide and control the use made of personal data relating to such data subject under the conditions determined by this law.” This provision, which takes its inspiration from the so-called German constitutional principle of “informational selfdetermination,” seeks to guarantee control over data, and in particular the ability for the data subject to decide whether data should be communicated and how the data should be used. In the context of a digital society in which more and more traces of personal data are being created, this right, which is being presented more as a personality right than as a property right that may be traded, must allow the individual to become the driving force of his or her own protection. Latham & Watkins | Page 2 • Post-mortem rights to be forgotten (Art. 63 of the Digital Republic Law) The 1978 data protection law is supplemented by Article 40-1, which introduces the concept of “digital death” into French law. Under this new article, data subjects have a right to create instructions during their lifetime relating to the conservation, deletion and communication of their data after their death. These instructions will be registered with a trusted digital third party and recorded in a single register, the operation of and access to which are yet to be determined by a decree of the Council of State (Conseil d’Etat). All providers of online electronic communications services to the public will be required to inform users about what will happen to their data upon death, and allow users to choose whether or not their data will be transferred to a designated third party. Any contractual provision contained in general terms of use that limit these new prerogatives shall be deemed null and void. In the absence of instructions from the data subject, the rights in question may be exercised by their heirs, who notably have the right to initiate the closure of all of the deceased’s user accounts. • Minors’ rights to be forgotten (Art. 63 of the Digital Republic Law) Article 40 of the 1978 data protection law is supplemented by a new section II, which allows a data subject that has reached adulthood to request the deletion of his/her personal data that was collected when such person was still a minor. This supplement applies in particular to data collected in the context of the internet. However, this deletion right is not absolute and is limited by circumstances set forth in the law, e.g., limits include exercising the right to freedom of expression and information, or complying with a legal obligation. In cases where the data was provided to a third party (who is also a data controller), the data controller that was requested to delete the data must take reasonable measures, including technical measures, to inform such third parties of the deletion request. This requirement suggests a simple duty to take reasonable care, and not an obligation to achieve a particular result. • Strengthened right to be informed (Arts. 57 and 63 of the Digital Republic Law) Article 32 of the 1978 data protection law is amended to include among the information that data controllers must communicate to data subjects the “conservation period for the categories of processed data, or, if this is not possible, the criteria used to determine such period,” and to add a right for the data subject “to give instructions relating to the fate of his/her personal data after his/her death.” • Electronic exercise of rights (Art. 58 of the Digital Republic Law) An Article 43 bis is added to the chapter relating to “rights of individuals with respect to the processing of personal data.” Under this new article, if the data controller has collected data electronically, following the principle of “parallel forms,” the data subject may exercise his/her rights using the same method. However, the Digital Republic Law specifies that this measure to simplify the exercise of rights is set to be repealed on 25 May 2018, at the same time as the European general data protection regulation comes into effect. • Rights of minors in the context of health research (Art. 56 of the Digital Republic Law) Article 58 of the 1978 data protection law has been amended to detail the rules that apply to the processing of minors’ data in the context of certain health-related research. In particular, a minor that is 15 years old or older has a right to refuse that persons with parental authority have access to such minor’s data, as well as the right to refuse that such persons be informed of the very fact that such data is being processed. Latham & Watkins | Page 3 1.2. Strengthening the Commission Nationale Informatique et Libertés’ authority to sanction • Amendments to the escalation of sanctions in cases of breaches of the 1978 data protection law and publication thereof (Art. 64 of the Digital Republic Law) Section I of Article 45 of the 1978 data protection law, which sets out the escalating sanction powers available to the French Data Protection Authority (Commission Nationale Informatique et Libertés, or CNIL) has been amended. In the case that a data controller breaches its obligations arising from the 1978 data protection law, going forward, the first level of sanctions is a formal notice which the president of the CNIL will issue, and the minimum period of time within which the breach must be cured is reduced from five days to 24 hours. Except in the case described below, the CNIL’s restricted committee (formation restreinte) can no longer directly issue a warning without having initially observed this formal notice phase which the CNIL’s president must commence. If the identified breach cannot be cured within the framework of the formal notice process, the CNIL’s restricted committee is now authorized to issue any sanctions (warnings, financial sanctions, injunction to cease processing data) without first issuing a formal notice. Section III of Article 45 was also amended to allow the CNIL’s president to commence summary proceedings (référé judiciaire) in cases of serious and immediate violations of rights and liberties for the purpose of having any necessary measure ordered, and not just measures limited to security as was previously the case under the law. Finally, pursuant to Article 46 of the amended 1978 data protection law, notification of sanctions is toughened. The CNIL can now order that the sanctioned data controller individually inform, at its own expense, each of the data subjects concerned by the issued sanction. • Increase in the amounts of financial sanctions (Art. 59 in fine and 65 of the Digital Republic Law) Article 47 of the 1978 data protection law has been amended to significantly increase the amount of financial sanctions, from €150,000 (up to €300,000 in cases of repeat offences) to €3 million. This increase anticipates the coming into effect of the European general data protection regulation which, for certain breaches, contains financial sanctions as high as €20 million or, for companies, up to 4% of the total annual worldwide turnover. The new drafting of Article 47 of the 1978 data protection law also specifies the criteria that the CNIL can take into account when determining a proportionate financial sanction, including: intentional or negligent nature of the breach; measures taken to limit damages; degree of cooperation with the CNIL (which includes the way the CNIL was notified of the breach); and categories of data involved in the breach. 1.3. Articulation of the 1978 data protection law with the entry into force of the European general data protection regulation (Art. 65 of the Digital Republic Law) The Digital Republic Law requires the government to provide a report to the French parliament before 30 June 2017 that sets out the amendments to the 1978 data protection law that are necessary due to the entry into force of the European regulation. Certain overlaps with the European Regulation are, however, already provided for, e.g., the repeal of an article of the 1978 data protection law introduced by the Digital Republic Law (Article 43 bis of the 1978 data protection law) is already scheduled as a result of this entry into force (see supra). Similarly, the effectiveness of the new provisions relating to data recovery and portability are delayed to the same date as the European Regulation (see infra). Latham & Watkins | Page 4 2. Strengthening of Autorité de régulation des communications électroniques et des postes’ powers (Arts. 43 and 46 of the Digital Republic Law) Article L. 32-4 of the French Post and Electronic Communications Code (Code des postes et des communications électroniques) has been amended to broaden the investigatory powers of the French Electronic Communications and Postal Regulation Authority (Autorité de régulation des communications électroniques et des postes, or ARCEP), which is now expressly qualified as an independent administrative authority. Notably, the amendment enables ARCEP to monitor the principle of net neutrality introduced by the Digital Republic Law. As of now, ARCEP may carry out on-site investigations and seizures, as is the case with, for example, the French General Directorate for Competition Policy, Consumer Affairs and Fraud Control (DGCCRF), the CNIL or the French Competition Authority. These seizures expressly relate to electronic communications network operators, providers of online electronic communications services to the public and hosting infrastructure managers. ARCEP’s agents are now authorized to enter any premises used for business purposes between the hours of 8:00 A.M. and 8:00 P.M. and may access all documents or information necessary to carry out their mission. The subjects of such seizures may not assert professional secrecy against ARCEP agents. When a visit has not been previously authorized by a liberties and detention judge (juge des libertés et de la détention), the person responsible for the business premises may refuse to allow the seizure, and must be informed of his/her right to do so. Where there is such a refusal, administrative seizures may only be carried out after judicial authorization has been obtained. 3. Strengthening the rights of digital consumers 3.1. Recovery and portability of consumer data (Art. 48 of the Digital Republic Law) Articles L. 224-42-1 to L. 224-42-4 have been added to the French Consumer Code (Code de la consommation), which are located in a section entitled “Data recovery and portability.” Given the overlap of these provisions with the European general data protection regulation and, in particular, since the conditions for recovery expressly refer to such Regulation, these new provisions will only come into effect on 25 May 2018. Pursuant to these future provisions, a general principle is articulated, under which “under all circumstances, the consumer has a right to recover all of his/her data.” Any provider of online electronic communications services to the public must offer a free service that allows consumers to recover all data relating to such user. This covers (i) all files uploaded by the consumer, (ii) all data resulting from the use of user accounts that the user can retrieve online, other than those that were subject to significant enhancements by the provider (which seems to exclude search histories and lists of purchases — a decree will specify the list of the types of enhancements deemed to be insignificant and that therefore cannot give rise to a recovery refusal), and (iii) other data associated with the user account, which shall be subject to certain conditions to be specified by regulation. In the event it is impossible to recover such data with an open standard that is easily recoverable, the provider must clearly and transparently inform the consumer, and inform the consumer of alternative means of recovery. Latham & Watkins | Page 5 3.2. Regulation of online platforms (Arts. 49, 50 and 52 of the Digital Republic Law) • Introduction and definition of online platform operators Article L. 111-7 of the French Consumer Code is amended to introduce a new category of ecommerce intermediary, that of the “online platform operator,” which is defined as “any natural or legal person that offers for business purposes, for free or in exchange for compensation, an online communication service to the public that is based on 1) ranking or listing using digital algorithms of content, goods or services offered or put online by third parties; or 2) establishing relationships between parties in view of the sale of goods, the offering of services or the exchange or sharing of content, goods or services.” This category clearly addresses intermediaries acting between internet users and third parties, such as search engines, price comparison tools, marketplaces and platforms for the collaborative exchange of services among private individuals. Faced with the monopolization of access to the internet, legal regulation of platform operators seems to be necessary in order to avoid diversion of net neutrality for commercial ends. The law thus strengthens the nascent regime that first appeared with the law for growth, activity and equality of economic opportunities of 6 August 2015. That law concerned operators of commercial intermediation or service platforms that were required to deliver accurate, clear and transparent information on “the general terms of use of the intermediation service and on the methods or ranking, listing and delisting offers made online” (initially Article L. 111-5-1 of the French Consumer Code, today Article L. 111-7). This new category of internet players does not call into question the division between hosts (technical service providers that make information available online) and content editors (responsible for content), but is superimposed upon this division. • Obligations of online platform operators Online platform operators are required to provide consumers with accurate, clear and transparent information regarding (i) the general terms of use of the intermediation service and on the methods of the proposed ranking, listing and delisting, (ii) the existence of a contractual or financial relationship or remuneration to the operator that may influence such ranking or listing, (iii) the capacity of the advertiser and the civil and tax rights and obligations of the parties that arise when the consumer is introduced to a professional or nonprofessional. A decree will specify the implementing measures to be put in place, and will take into account the nature of the platform operator’s activities. In addition, online platform operators whose activities exceed a threshold number of connections — a threshold which is to be defined by decree — must prepare and provide consumers with best practices aimed at reinforcing the abovementioned accuracy, clarity and transparency obligations. Latham & Watkins | Page 6 • Regulation of online reviews authored by consumers Article L. 111-7-2 has been added to the French Consumer Code for the purpose of regulating a specific type of actor, i.e., sites that publish consumer reviews on goods or services. Under this new article, “any natural or legal person whose activities principally or partially consist of collecting, moderating or publishing online reviews originating from consumers must provide users with accurate, clear and transparent information on the methods of online publication and processing.” The aforementioned person must specify if such reviews are subject to controls, and lust describe the the principal characteristics of those controls. Consumers must also be informed of the date of the review, any updates and the justifications for rejecting a review if such review was not published. A free tool must be put in place to inform persons responsible for products or services being reviewed, which provides a substantiated alert notifying such person of any doubt on the authenticity of a review. 3.3. Strengthening of the confidentiality of private electronic correspondence (Art. 68 of the Digital Republic Law) The Digital Republic Law expands the obligations governing the confidentiality of private electronic correspondence. While postal service providers and electronic communications providers were already subject to such obligations, now they also apply to providers of online electronic communications services to the public. Providers of online electronic communications services to the public are the subject of a definition added to Article L. 32 (no. 23) of the French Post and Electronic Communications Code, i.e., “any person that makes available content, services or applications falling within the scope of online communications to the public within the meaning of IV of Article 1 of law no. 2004-575 of 21 June 2004 relating to confidence in the digital economy. In particular, persons that publish an online communication service to the public, as set forth in the second paragraph of section II of Article 6 of such law, or persons that store signals, writings, images, sounds or messages of any kind that are mentioned in paragraph 2 of section I of such Article 6, shall be considered to be providers of online electronic communications.” Regarding electronic communications operators and providers of online electronic communications services to the public, confidentiality extends to the contents of the correspondence, the identities of the correspondents, the message’s subject line, and attached documents. The text specifies that automated analytical processing of such information for the purpose of displaying, sorting or routing correspondence, or detecting spam or viruses, does not infringe upon the confidentiality of private electronic correspondence. However, confidentiality is infringed when the automated analytical processing is for the purposes of advertising, statistical or service improvement ends, except as may have been expressly and explicitly agreed to by the user. The frequency of consent renewal remains to be defined by regulation, but in any event cannot exceed one year. Latham & Watkins | Page 7 4. Cooperation among administrations and authorities The Digital Republic Law contains several provisions relating to cooperation among authorities. • Administrative agencies’ rights of access to documents held by other agencies (Art. 1 of the Digital Republic Law) The Digital Republic Law creates an obligation for the administrative agencies listed in the first paragraph of Article 300-2 of the French Code on Relationships between the Public and the Administration, i.e., the state, territorial communities and public or private law entities that are entrusted with a public service mandate, to transmit the administrative documents they possess to other agencies that so request for the purpose of accomplishing their public service missions. The purpose is to introduce in favor of administrative agencies a right comparable to the right of individuals provided under the Commission d’Accès aux Documents Administratifs (CADA) law, a French law with respect to access to administrative documents. This transmittal may only be made in compliance with the 1978 data protection law and so long as the transmittal does not infringe upon, in particular, the protection of privacy, medical secrecy, trade secrets, economic and financial information, commercial and industrial strategies, national security secrets or public safety secrets in accordance with Articles L. 311-5 and L. 311-6 of the French Code on Relationships between the Public and the Administration. • Reciprocal referrals between ARCEP and CNIL (Art. 61 of the Digital Republic Law) Article L. 135 of the French Post and Electronic Communications Code is amended to allow the CNIL to request an opinion from ARCEP with respect to any issue falling within its purview. The reverse is also contemplated by Article 11 of the 1978 data protection law. • Cooperation between the CNIL and its counterparts in states that are not members of the European Union (Art. 66 of the Digital Republic Law) Article 49 bis has been added to the 1978 data protection law, which authorizes the CNIL to carry out onsite and offsite verifications under the terms set out in Article 44 of the law, and to send information in response to a request of an agency carrying out similar functions to the CNIL’s in states that are not members of the European Union. However, three threshold conditions must be met before the CNIL can respond favorably to such a request: first, the non-EU member state in which the counterpart authority is located must offer an adequate level of protection of personal data, although the law does not specify how such adequacy should be assessed and, in particular, if it must be previously acknowledged as such by the European Commission; second, this cooperation requires that an assistance agreement have been previously entered into; and finally, the verification measures cannot relate to processing that is carried out on behalf of the French state regarding security, defense, or public safety, or processing for the prevention, search for, the finding or prosecution of criminal offenses. Latham & Watkins | Page 8 • Cooperation between the CNIL and CADA (Arts. 25 to 28 of the Digital Republic Law) The Digital Republic Law creates an institutional rapprochement between the CNIL and CADA, by including CADA’s president on the CNIL, and the CNIL’s president on the CADA, given their complementary roles as regards access to administrative documents and the protection of personal data. In addition, the two agencies have the ability to meet as a single commission if an issue of a common interest so justifies. 5. Miscellaneous 5.1. Digital identity and digital safes (Art. 86 and 87 of the Digital Republic Law) Article L. 136 is added to the French Post and Electronic Communications Code. The article relates to digital identity and permits the use of an electronic identification method in order to prove a user’s identity for the purpose of accessing an online communication service to the public. A new Article L. 137 is also added to the French Post and Electronic Communications Code. This article relates to digital safe services that are intended to “receive, store, delete and transfer data or electronic documents in a manner that can authenticate that such data or documents are unaltered and the accuracy of the origins of such data and documents.” Such a service also ensures (i) the traceability of transactions made on such documents or data, (ii) the identification of the user when access to the service is made through an electronic identification method, (iii) the recovery of data, and (iv) guaranteed exclusive access to electronic documents by the user, authorized third parties or the service provider after obtaining the user’s express consent. This digital safe may benefit from a certification by way of an order of the minister in charge of digital matters. 5.2. Payment transactions offered by network and electronic communications providers (Art. 94 of the Digital Republic Law) Pursuant to two new articles added to the French Monetary and Financial Code (Code monétaire et financier), network and electronic communications providers are authorized to furnish subscribers and users payment services (Article L. 521-3-1), and to issue and manage electronic currency (Article L. 521-3-1 and L. 525-6-1). The amount of each individual payment transaction cannot exceed €50, and cannot exceed €300 per month per single user. These payment transactions are reflected on the invoice for the initially used electronic communication service. These transactions relate to (i) the purchase of digital content (downloads of music and videos, online access to information, etc.), (ii) multimedia purchases of electronic tickets, and (iii) donation collection services. The implementation of these payment transactions is subject to the prior authorization and control of the French Prudential Supervisory Authority (Autorité de contrôle prudentiel et de résolution, or ACPR).

This article is made available by Latham & Watkins for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. Your receipt of this communication alone creates no attorney client relationship between you and Latham & Watkins. Any content of this article should not be used as a substitute for competent legal advice from a licensed professional attorney in your jurisdiction.

Related topic hubs

Compare jurisdictions: Data Security & Cybercrime

“As in house counsel for a medium sized NZ group of companies, I find the newsfeeds very useful as they keep me up-to-date with the latest legal info in areas I have subscribed for. The quality is very good and I would not hesitate to recommend to colleagues.”